Introducing Code Access Security in .NET Framework

Introduction

Code Access Security is a feature that enables you to define restrictions on code that would be executing in the managed environment. You can use Code Access Security to restrict access to your code, define policy levels (Enterprise, Machine, User and Application Domain), code groups, and grant or revoke permissions, etc. You can also implement both imperative and declarative security modes in your application. This article takes a look at Code Access Security (CAS) the benefits of the concepts while emphasizeing the new features in CAS in .NET Framework 4.0.

What is Code Access Security?

Code Access Security is a security feature in .NET that provides restrictions on the code that is to be executed based on who the owner of the code is, where it has been downloaded from, the evidences, etc. The CLR would allow your code to only perform operations that are permitted. The Wikipedia states: "Code Access Security (CAS), in the Microsoft .NET framework, is Microsoft's solution to prevent untrusted code from performing privileged actions. When the CLR loads an assembly it will obtain evidence for the assembly and use this to identify the code group that the assembly belongs to. A code group contains a permission set (one or more permissions). Code that performs a privileged action will perform a code access demand which will cause the CLR to walk up the call stack and examine the permission set granted to the assembly of each method in the call stack. The code groups and permission sets are determined by the administrator of the machine who defines the security policy." http://en.wikipedia.org/wiki/Code_Access_Security
In essence, you can use Code Access Security to restrict what all your code can do, restrict which code can invoke your code and also identify code. Code Access Security imposes certain restrictions and policies based on which access to protected resources and operations are governed.

Note that Code Access Security is based on two key concepts, namely, Code Groups and Permissions. Each and every .NET assembly belongs to a particular Code Group. Each Code Group in turn is granted a set of permissions that are specified in the permission set to which it is associated. You can use the following command in the command line to see the code groups defined on your system:

caspol -lg

Code Access Security comprises of the following elements:

Permissions - these represent a resource that is protected, or, the ability to perform an operation that is protected.

Evidence - This can be defined as information that is associated with an assembly--it denotes the origin of code. The CLR examines the evidence associated with the code and then it checks what all permission sets are associated with the code group. Some typical types of evidence include: site, strong name, publisher, URL and zone. In essence, evidence is typically used to authenticate the code. The various identity permissions that are used to authenticate code include: PublisherIdentityPermission, SiteIdentityPermission, StrongNameIdentityPermission, ZoneIdentityPermission and URLIdentityPermission.

Policies - Policies are defined as a configurable set of rules that determine the permissions to grant access to a piece of code. Policies typically represent the user roles. There consist of the following types: Application Domain Policy, User Policy, Machine Policy and Enterprise Policy.

Using Declarative and Imperative Syntax

You can define Code Access Security in your code either using declarative syntax or using imperative syntax. While you use attributes to define Code Access Security declaratively, the imperative syntax used runtime method calls.

Introducing Code Access Security in .NET Framework

Code Access Security in ASP.NET

Your ASP.NET applications run with full trust and have unrestricted permissions by default. However, you can configure the trust levels using the <trust> element in the machine.config file as shown below:

Changes in .NET Framework 4

Microsoft .NET Framework 4 is available as part of Microsoft Visual Studio 2010 release. The two major security changes that have come in .NET Framework 4 are:

Elimination of machine wide Security Policy

Security transparency is now the Default Enforcement Mechanism

Note that Code Access Security has not been eliminated. The Security Policy has been removed but you still have evidence and permissions in effect. To know more on the security changes in .NET Framework 4, you can take a look at the MSDN article, "Security Changes in the .NET Framework 4".

Summary

Code Access Security is a security feature in .NET that you can use to impose certain restrictions on the code to be executed. The MSDN states: "Code access security (CAS) is the .NET Framework security mechanism (the "sandbox") that is used by ASP.NET to enforce constraints on the ability to execute code." Reference: http://msdn.microsoft.com/en-us/library/dd984947.aspx

In this article we examined Code Access Security in .NET with special focus on the new features that came up in .NET Framework 4.0. Happy reading!

Top White Papers and Webcasts

Live Event Date: March 19, 2015 @ 1:00 p.m. ET / 10:00 a.m. PT
The 2015 Enterprise Mobile Application Survey asked 250 mobility professionals what their biggest mobile challenges are, how many employees they are equipping with mobile apps, and their methods for driving value with mobility.
Join Dan Woods, Editor and CTO of CITO Research, and Alan Murray, SVP of Products at Apperian, as they break down the results of this survey and discuss how enterprises are using mobile application management and private …

On-demand Event
Event Date: February 12, 2015
The evolution of systems engineering with the SysML modeling language has resulted in improved requirements specification, better architectural definition, and better hand-off to downstream engineering. Agile methods have proven successful in the software domain, but how can these methods be applied to systems engineering? Check out this webcast and join Bruce Powel Douglass, author of Real-Time Agility, as he discusses how agile methods have had a tremendous …